search

ltdrdata / ComfyUI-Workflow-Component

This is a side project to experiment with using workflows as components.
GNU General Public License v3.0
197 stars 10 forks source link

Is it nessesary to avoid loading components from dotted directory? #32

Open asbytes opened 5 months ago

asbytes commented 5 months ago

Is there any substantial reason to skip loading of components, which placed in dotted dir? I mean this: https://github.com/ltdrdata/ComfyUI-Workflow-Component/blob/cbcb88ddbba9a7d869ed04de05c851751db3fa9a/workflow_component/component_loader.py#L528 I have my whole ComfyUI setup in dotted directory at user profile dir and components aren't loaded until i remove this check.

ltdrdata commented 5 months ago

That is a sanitizer for standard security. It prevents access outside of ComfyUI using relative paths.

asbytes commented 5 months ago

This code doesn't receive any user input, which could lead to path traversal.

Gerschel commented 5 months ago

@asbytes Sure it can. What you are not realizing, the author has written code to override the functionality of other nodes, such as load image, to embed image refiner. I too have done a similar thing, via javascript, this is how I modified the LoadImage node so I can inject my own commands. If I chose to, I can target this authors nodes/refiner, and skip the endpoints check, and use this script to bypass it, if if any(part.startswith(".") for part in root.split("/")): wasn't in place. This effectively replaces the functions. 

            var originalLoadImageNode = LiteGraph.registered_node_types['LoadImage'];

            // Define the extended node
            function ExtendedLoadImage() {
                originalLoadImageNode.call(this); // Call the original constructor

                // Modify the upload button widget after the node is fully initialized
                setTimeout(() => {
                    var uploadWidget = this.widgets.find(w => w.name === 'upload');
                    if (uploadWidget) {
                        uploadWidget.callback = () => {
                            myLoadAnythingScriptAndSendWithFetchCanGoHere();
                            });
                        };
                    }
                }, 0);
            }

            // Inherit from the original node type
            ExtendedLoadImage.prototype = Object.create(originalLoadImageNode.prototype);
            ExtendedLoadImage.prototype.constructor = ExtendedLoadImage;

            // Register the new node type
            LiteGraph.registerNodeType('LoadImage', ExtendedLoadImage);